On 04/04/15(Sat) 14:40, Adam Wolk wrote: > On Sat, Apr 4, 2015, at 01:53 PM, Stuart Henderson wrote: > > Hi Adam, you can find kernels that are quite likely to be identical to > > before that commit > > if > > you'd like to give that a try. > > > > I did a test with the kernels you provided. Here are the results. > > bsd.sp > OpenBSD 5.7 (GENERIC) #825: Sun Mar 8 10:59:14 MDT 2015 > DHCPDISCOVER on startup doesn't receive a network address (same as new > one) - no crash > sh /etc/netstart results in panic: > > Note that I'm copying this by hand. If something is 'off' then I > probably mistyped. > I have the kernel currently sitting at the ddb prompt - not rebooting > yet.
This looks like a use after free in the re driver. That's something hard to find as the trace does not tell us *when* it happened. You mentioned earlier some watchdog timeout. Do you know if you always see one when the pool corruption triggers? You can type "dmesg" at the ddb prompt to check if there's any weird message before the panic. > > panic: pool_do_get: mc12k free list modified: page 0xffffff00a569d000; > item addr 0xffffff00a569d000; offset 0x0=0x1000608c1aa77cc1 != > 0xa23fc8f9e7243410 > Stopped at Debugger+0x9: leave > ddb> trace > Debugger() at Debugger+0x9 > panic() at panic+0xfe > pool_do_get() at pool_do_get+0x2ee > pool_get() at pool_get+0xb5 > m_clget() at m_clget+0x51 > re_newbuf() at re_newbuf+0x32 > re_rx_list_fill() at re_rx_list_fill+0x35 > re_rxeof() at re_rxeof+0x35e > re_intr() at re_intr+0x19b > intr_handler() at intr_handler+0x28 > Xintr_ioapic_edge19() at Xintr_ioapic_edge19+0xdd > --- interrupt --- > Bad frame pointer: 0xffff800032c1cf10 > end trace frame: 0xffff800032c1cf10, count: -11 > cpu_idle_cycle+0x13: > ddb> >
